Intrusion Detection FAQ: Can I use the MAC address of an Ethernet packet to trace an attacker?

If the attack originated from a system that has a direct connection to your system with no gateway in between, then you can use the MAC address. But, if a gateway is in the path, then the gateway replaces the MAC address of the sender with its own address. As a result, you can trace the attack to the gateway only. If the gateway has extensive logging enabled, you might consider searching the log file for more information.